CVE-2026-31708

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> smb: client: fix OOB read in smb2_ioctl_query_info QUERY_INFO path<br /> <br /> smb2_ioctl_query_info() has two response-copy branches: PASSTHRU_FSCTL<br /> and the default QUERY_INFO path. The QUERY_INFO branch clamps<br /> qi.input_buffer_length to the server-reported OutputBufferLength and then<br /> copies qi.input_buffer_length bytes from qi_rsp-&gt;Buffer to userspace, but<br /> it never verifies that the flexible-array payload actually fits within<br /> rsp_iov[1].iov_len.<br /> <br /> A malicious server can return OutputBufferLength larger than the actual<br /> QUERY_INFO response, causing copy_to_user() to walk past the response<br /> buffer and expose adjacent kernel heap to userspace.<br /> <br /> Guard the QUERY_INFO copy with a bounds check on the actual Buffer<br /> payload. Use struct_size(qi_rsp, Buffer, qi.input_buffer_length)<br /> rather than an open-coded addition so the guard cannot overflow on<br /> 32-bit builds.